Visible to the public Understanding how Users Process Security Advice - UMD - January 2016Conflict Detection Enabled

Submitted by jkatz on Tue, 02/02/2016 - 10:10am

PI(s): Michelle Mazurek
Researchers: Elissa Redmiles, Amy Malone, Shelby Silverstein

HARD PROBLEM(S) ADDRESSED
Human Behavior

PROJECT SUMMARY

People encounter tremendous amounts of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. In this project, we will examine where people encounter security advice, how they evaluate its trustworthiness, and how they decide which advice to follow or reject. We will compare the way users process physical-security advice to the way they process cybersecurity advice. By more scientifically understanding how users interpret the advice they hear, we can try to improve the way advice is disseminated to help users prioritize advice that is effective.

 

PUBLICATIONS
How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity. Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. Poster, Symposium on Usable Privacy and Security (SOUPS), July 2015.

I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security. Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek. In Submission.

 

ACCOMPLISHMENT HIGHLIGHTS

We completed analysis of our qualitative study and submitted the results to a top security conference. In this study, we interviewed 26 participants from a wide range of ages, ethnicities, and income levels, as well as many several security-sensitive professionals.

Our results indicate that people are generally less confident in assessing the credibility of cybersecurity vs. physical security advice. According to one participant, “plausibility is hard to measure with cybersecurity [advice], so it can be harder to believe.” Corporate/work IT departments turn out to be a significant source of trusted advice. Particpants elect not to follow advice they know about for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is offered as marketing rather than sincerely.

It's reasonably well known that users don't always apply the most expert-recommended advice, such as using two-factor authentication We have found evidence that users don't use two-factor partially because they unaware of it, partially because they don't understand whether it provides a real benefit, and partially because the prospect of giving out a phone number feels intrusive or threatening.

Our next step is to conduct a large-scale quantitative study to expand and confirm these results. We have completed a first draft of the survey protocol and expect to begin piloting it with cognitive interviews in the next two weeks. We have identified a sample provider that will allow us to obtain a representative sample of U.S. adults at a reasonable price. Pending human subjects approval at DoD, we anticipate completing quantitative collection by the next quarterly report.

Grad student Elissa Redmiles received a "data grant" from the Data&Society institute in part due to her work on this project. This data will be combined with our quantitative data to allow further in-depth analysis.

Groups: